Secrecy content of two-qubit states 
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We analyze the set of two-qubit states from which a secret key can be extracted by single-copy 
measurements plus classical processing of the outcomes. We introduce a key distillation protocol 
and give the corresponding necessary and sufficient condition for positive key extraction. Our results 
imply that the critical error rate derived by Chau, Phys. Rev. A 66, 060302 (2002), for a secure 
key distribution using the six-state scheme is tight. Remarkably, an optimal eavesdropping attack 
against this protocol does not require any coherent quantum operation. 

PACS numbers: 



I. INTRODUCTION 

It is known that all quantum correlations can be con- 
verted into secret ones, namely, into correlations that 
cannot be distributed by local operations and public com- 
munication 0. However, the identification of the precise 
quantum correlations (entangled states) that can be con- 
verted into a secret key remains an open problem. This 
paper focuses on this problem: we wish to determine 
which two-qubit states contain distillable secret correla- 
tions. More precisely, we aim to characterize the set of 
two-qubit states from which a secret key can be extracted 
by Single- copy Measurements plus ClAssical Processing 
(SIMCAP) protocols. 

As usual, Alice and Bob are the honest parties will- 
ing to communicate secretly and Eve is the adversary 
who tries to learn the secret messages. The scenario for 
key extraction that we consider is quite similar to that 
for entanglement distillation. The honest parties initially 
share a large number, N, of copies of a known two-qubit 
state pab- Instead of distilling entangled bits, or sin- 
glets, Alice and Bob's task here consists in extracting 
secret bits. Pure secret and entangled bits are indeed 
two different information resources that can be extracted 
from quantum states. Notice that in contrast with gen- 
eral security proofs of quantum key distribution (QKD) 
protocols, it is assumed that Alice and Bob know they 
share N independent copies of the two-qubit state pab ■ 
We restrict our considerations to SIMCAP protocols for 
several reasons. First, they do not require any coherent 
quantum operation, so they are experimentally feasible 
with present day technology. Second, it is interesting to 
compare these protocols with those employing coherent 
quantum operations performed by Alice and Bob. Fi- 
nally, results obtained for quantum states in the SIM- 
CAP scenario can be applied to quantum channels and 
prepare and measure QKD schemes , such as BB84 . 

In this paper, we consider a slightly improved version 
of the SIMCAP protocol with two-way communication 
introduced in Q. We derive a necessary and sufficient 
condition any two-qubit state must satisfy for this pro- 



tocol to be secure. The sufficiency of this condition is 
proved by showing that, if it holds, our protocol enables 
extracting a key that is secure against any attack. The 
necessity follows from the existence of an explicit eaves- 
dropping attack (given below), that breaks the protocol 
if the aforementioned condition is not satisfied. Remark- 
ably enough, Eve can implement this attack without any 
coherent quantum operation. As far as we know, this is 
the first necessary and sufficient condition for key distil- 
lation from quantum states using a two-way communica- 
tion SIMCAP protocol. 



II. THE PROTOCOL 

As mentioned above, Alice and Bob share N copies of 
a known bipartite state pab ■ Given this assumption, the 
SIMCAP key distillation protocol consists of three steps: 
(i) local measurement on each qubit pair pab , (ii) advan- 
tage distillation, and (iii) one-way key extraction. 

Measurements: Step (i) can be decomposed into the 
operations (a), (b), and (c) defined as follows. Opera- 
tion (a) is a single-copy filtering operation that Alice and 
Bob perform in order to maximize the entanglement of 
formation of their state. The operators Fa and Fg that 
characterize this filtering, pab ~* Fa®Fb Pab F* A ®Fg, 
are described in 5]. If the filtering fails, the qubit pair 
is rejected. If it succeeds, the resultingtwo-qubit state is 
diagonal in the Bell basis (defined in [g): 

Pab -» Ai [$+] + A 2 [*-] + A 3 [*+] + A 4 [*-] , (1) 

with Ai > and Xi = 1. Throughout this paper 
square brackets denote one-dimensional projectors (not 
necessarily normalized); e.g., [ip] = \ip){tp\- If Pab is al- 
ready diagonal in the Bell basis, this filtering leaves it 
unchanged. Operation (b) is a local unitary transforma- 
tion that Alice and Bob apply to the state JIJ to ensure 
that 



Ai = max Ai, 



Ao = min A, 



(2) 
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This is just a permutation of the coefficients Ai in QJ, 
and any such permutation can be achieved using only 
local unitaries Q. One can thus associate to any two- 
qubit state pab the pair of coefficients (Ai, A2). The last 
operation, (c), consists in measuring each qubit in the 
computational basis {|0), |1)}. 

These three operations can be seen as a single mea- 
surement performed by each of the honest parties, with 
outcomes: 0, 1 and reject. After discarding all the in- 
stances where the outcome reject is obtained, each of 
the honest parties has a list of partially correlated bits. 
These two lists do not constitute a shared secret key yet, 
because in general they are neither equal nor secret. Our 
goal is now to distill them to a secret key [steps (ii) and 
(iii) above]. 

Advantage distillation: Step (ii) is a reconciliation 
scheme introduced by Maurer in [8| that uses two-way 
communication. Within this scheme, each of the honest 
parties transforms blocks of M bits into a single bit. By 
doing that, Alice and Bob map their initial lists of bits 
into shorter, more secret and correlated ones. To achieve 
this goal, Alice randomly chooses M bits from her list of 
accepted outcomes, and Bob takes their M counterparts 
from his list: 

A U A 2 ...A M 

Bi,B 2 ...Bm- (3) 

Next, Alice generates a secret random bit sa, computes 
the M numbers X^ :— (A t + sa) mod 2, and sends the 
Af-bit string 

Xi,X 2 , ■ ■ ■ , Xm (4) 

through the insecure but authenticated public channel. 
Bob then adds bitwise (mod 2) this string to his list, 
Bi,B 2 , ■ ■ ■ Bm- If he obtains the same result sb for the 
M sums, i.e., if (Bi + JQ) mod 2 = sb for i = 1,2,... M, 
he keeps the bit sb and communicates its acceptance to 
Alice. Otherwise, the two parties reject the M bits. The 
bits sa and s b are the result of the advantage distillation 
process (ii). A large number of pairs (sa, sb) constitute 
the input of (iii). 

One-way key extraction: Step (iii) consists of the one- 
way communication procedure given by Devetak and 
Winter in 0- It concerns the situation where Alice has 
a classical random variable correlated to Bob and Eve's 
quantum states, and it enables (when possible) trans- 
forming these classical-quantum-quantum (CQQ) corre- 
lations into a secret key with maximal rate. In our case, 
the honest parties have the classical random variables 
(sa, sb) correlated with Eve's quantum states (CCQ cor- 
relations), this being a particular case of the scenario con- 
sidered in |9j]. Thus, their techniques immediately apply. 

Having discussed the protocol with some detail, we 
now state our main result: A secret key can be extracted 
from a two-qubit state pab by the protocol above if and 
only if its associated weights (Ai,A2) satisfy 



The sufficient and necessary statements of this result are 
proved in sections III and IV, respectively. 

III. SECURITY PROOF 

Let us first prove the security of this protocol. As 
usual, we conservatively assume that Eve has a large 
quantum system that is a purification of the whole state 
Pab ■ Note that all purifications of Alice and Bob's state 
are equivalent, since they only differ by a local unitary 
operation on Eve's Hilbert space. Without any loss of 
generality, the state of the three parties can be taken to 
be |\I> abe)® N , where Y&abe) is a purification of pab, 
i.e., pab = ^e[^ abe\- After the filtering operation (a), 
the tripartite state is still pure, hence, Eve holds the sys- 
tem that purifies the Bell-diagonal state (Q. The three 
parties thus share many copies of the state 

Fa® F b ®Ie\^abe) = v%\ $ + )ab | 1)e + \A2~I $~ )ab |2)e 
+ V^\^ + )ab\Z)e + V^I\^-)ab\±)e- (6) 

After step (i), Alice and Bob are left with classical data, 
whereas Eve could still hold a quantum system. The 
correlations they share are described by the state (up to 
normalization) 

[x}ab ® [4> x ]e, (7) 

X 

where x — 00, 01, 10, 11, and 

l^oo/n) = VAi"|l>± V^|2), 

IVoi/io) = 0^|3) ± v/Al|4). (8) 

Notice that the above vectors are non-normalized. After 
step (ii), Eve has her M (four-dimensional) quantum sys- 
tems as well as the information that the honest parties 
have exchanged through the public channel. In partic- 
ular, Eve has the M-bit string J3J. If she performs the 
unitary transformation 

Ui = [1] E + (~l) Xi [2}e + [3] B + (-l) x > [4] E (9) 

to her i-th system (i = 1 . . . M), up to normalization the 
tripartite state becomes 

$>Lm ® m% M - (io) 

X 

After this transformation, the tripartite state (|1U|> be- 
comes completely uncorrelated to (@J. The rest of the 
protocol is also independent of Q, and this information 
is no longer useful. Hence, all the correlations among 
Alice, Bob and Eve before step (iii) are described by the 
state iJTDJ. 

It was proven in [9|, that the secret key rate one can 
achieve with one-way communication (K—>) when Alice 
holds a classical system satisfies: 



(Ai-A 2 ) 2 >(l-A 1 -A 2 )(A 1 +A 2 ) (5) 



> I (A : B) - I (A : E), (11) 
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where I(X : Y) is the mutual information referred to the 
state (|1(J|I , and is defined in . After some algebra, the 
following equality can be obtained 



I(A : B) -I(A : E) = 1 - h(e B ) 



-{l-e B )h\ 



A M 



e B h 



KM 

Ji dif 



. (12) 



where 



es = 



(A3 + A 4 ) 



M 



A,-, 



(A!+A 2 )^ + (A3 + A 4 ) M 
Ai - A 2 | A | A3 - A 4 | 



Ai + A 2 



Adif 



A 3 + A 4 



(13) 



h(x) — — xlog 2 x — (1 — x) log 2 (l — a;), and the subscript 
'eq' ('dif ') refers to the outcome A being equal to (dif- 
ferent from) B. It can be checked that if condition J3J) is 
satisfied, there exists a sufficiently large M such that the 
right-hand side of {HJ, i.e., Eq. (|12(l . is positive. Thus, a 
secret key can be extracted from pab with our SIMCAP 
protocol. This completes the security proof. In the next 
section we prove that condition © is tight. 



IV. OPTIMAL EAVESDROPPING ATTACK 

Let us present a particular eavesdropping attack that is 
optimal in the sense that it breaks our SIMCAP protocol 
if JSJ is not satisfied. This attack is similar to that in [l2| . 

Without loss of generality, we assume that in step (iii) 
the public communication is sent from Alice to Bob. In 
the attack, Eve makes a guess, se, for Alice's outcome 
sa in such a way that se and sb are independent when 
conditioned on sa- That is, the probability distribution 
for these random variables P(sa, s_b, se) satisfies 



P(sb,Se\sa) = P(s B \s A ) P{se\sa) 



(14) 



To accomplish this, she first waits until step (ii) is com- 
pleted [recall that at this stage the three parties share the 
state I|1L)|| ]. and performs the two-outcome measurement 
defined by the projectors 

^c q = [1]b + [2] E , F dii = [3] B + [4] B , (15) 

on each one of her M systems. According to (|10|) . all 
M measurements give the same outcome. If Eve obtains 
the outcome corresponding to F cq , the tripartite state 
becomes (up to normalization) 



[00}ab ® [V>oo]i M + [U]ab ® [VT 18M 



J n\ E 



(16) 



In order to learn sa, she must discriminate between the 
two pure states V'oo and tpn. It was proved in |l4j | that 
the minimum error probability she can achieve is 



pc 



1 1 



r ,2M 



(17) 



where c is the overlap between the states. Applying this 
formula to Ijlfijl . we obtain the error probability in guess- 
ing s A 



1 4" 



A 2M 



(18) 



Similarly, if Eve obtains instead the outcome correspond- 
ing to i*dif , the error probability edif is given by l|18|) with 
the substitution A cq — > Adif. 

At this point, Eve's information consists of se (her 
guess for sa) as well as the outcome of the measure- 
ment l)15f) . To ensure 1)14(1 . Eve proceeds as follows. From 
(J2J), it can be seen that Adif < A cq , which implies that 
£dif < £cq- Then, when she obtains the outcome corre- 
sponding to Fdif, she increases her error until edif = £cq- 
She achieves this by changing the value of se with some 
probability. After this operation the tripartite proba- 
bility distribution is of the form i|14|) . Additionally we 
know that P(sb\sa) and P(se\sa) are binary symmetric 
channels with error probability es in (|13fl and e oq in I jlSj l , 
respectively. It is proven in [8j that in such situation the 
one-way key rate is 



= h(e cq ) - h(e B ), 
which is non-positive if 

e cq < es • 



(19) 



(20) 



Let us finally prove that this inequality holds for all 
values of M if condition JSJ is not satisfied. Define 
z = Ai + A 2 . The range of interest isl/2<z<l, 
since no secret key can be extracted from a separable 
state and a two-qubit state is entangled iff Ai > 1/2. 
After some algebra, one can prove the inequality 



(21) 




z M + (1 - z) M ' 



where M is any positive integer. The right-hand side 
of H21f> is equal to e B , whereas the left-hand side is an 
upper bound for e cq . This bound follows from the in- 
equality (Ai — A 2 ) 2 /z 2 < (1 — z)/z, which is the negation 
of |J5J. In summary, if condition (J5J is not satisfied, no 
secret key can be distilled with the considered protocol. 
Since we have previously proven the sufficiency of JSJ, 
the attack we have considered is optimal and the secu- 
rity bound 10 is tight for our SIMCAP protocol. 

It is worth analyzing the resources that this optimal 
eavesdropping attack requires. First of all, we note that 
Eve does not need to perform any coherent operation, i.e., 
she can make do with single-copy measurements. This 
follows from the fact that the minimum error probabil- 
ity o can be attained using an adaptive discrimination 
protocol consisting of projective measurements on each 
one of the M copies [T3I - Therefore, in order to break 
our key distillation protocol, what Eve does need is the 
ability to store her quantum states until after listening 
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to the (public) communication between the honest par- 
ties in step (ii). That is to say, she requires a quantum 
memory. If Eve can neither perform coherent operations 
nor have a quantum memory, the necessary and sufficient 
condition for the success of this protocol is Ai > 1/2 p|, 
which is the entanglement condition for two-qubit states. 



V. FINAL REMARKS 

In this paper, we have considered the problem of se- 
cret key extraction from two-qubit correlations. We have 
derived the necessary and sufficient condition for posi- 
tive key rate using an improved version of the SIMCAP 
protocol of Ref. 4]. If this condition does not hold, we 
have shown that an optimal attack can be implemented 
without any coherent quantum o per ation. In this case, 
and contrary to what happens in 16], quantum memory 
gives a significant advantage to Eve. 



Separability 



SIMCAP secure 



5 + 3^5 
20 
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FIG. 1: Security bounds for Werner states of two qubits, 
Eq. . If Alice and Bob can apply coherent operations, all 
entangled states are distillable to a secret key through entan- 
glement distillation. Here, we show the security of entangled 
Werner states under SIMCAP protocols up to Ai m 0.58. 
Whether the gap in the figure can be closed remains an open 
question. 

In view of the above, the first natural question one 
can ask concerns the optimality of the SIMCAP protocol 
discussed here. In other words, does condition (J5J charac- 
terize the set of all distillable two-qubit states with SIM- 
CAP protocols? Let us argue that this could indeed be 
the case. Recall that our protocol consists of three steps: 
measurements followed by two-way and one-way reconcil- 
iation. Concerning the third step, we employ the optimal 
protocol |3 • Therefore, the weak part in the reconcilia- 
tion process corresponds to the two-way communication 
step. Here, we have used the standard advantage dis- 
tillation protocol. Notice that its coherent version, usu- 
ally called recurrence, combined with one-way hashing 
techniques, enables the distillation of pure-state entan- 
glement from any entangled two-qubit state 01- As f ar 
as the measurement part is concerned, the single-copy fil- 
tering operation (a) is optimal in terms of entanglement 
enhancing Moreover, we have numerically checked 
that for Bell diagonal states of the form measuring 
in the computational basis is optimal within our recon- 
ciliation scheme. All this suggests that the necessary and 
sufficient condition (J5J could very well be completely gen- 
eral. If this were the case, there would exist some two- 



qubit entangled states for which extracting secret bits 
would require coherent operations (see Fig. In other 
words, there would be quantum states whose secrecy con- 
tent would not be distillable by SIMCAP protocols. 

Since our protocol does not require any coherent quan- 
tum operation on Alice and Bob's side, our results can be 
related to the security of prepare and measure schemes, 
such as BB84 |3j. Indeed, every state can be associ- 
ated to a channel, and then, the sequence of measure- 
ments defines a QKD prepare and measure protocol. 
Note however that in a fully general security proof for 
these schemes, one must not make any assumption on the 
global state shared by Alice and Bob. That is, one must 
consider the most general correlated state of N pairs of 
systems compatible with the single-pair description. In 
our analysis, however, it is assumed that Alice and Bob's 
state consists of N copies of the same two-qubit state. In 
the prepare and measure picture, this means that Eve in- 
teracts individually with the quantum states sent to Bob; 
they are the so-called collective attacks |10|. The recent 
results of suggest that Eve gains no advantage by in- 
troducing correlations among the pairs of systems shared 
by Alice and Bob. If this were proved correct, our results 
would indeed provide a tight, general security proof for 
a whole family of schemes and channels. Note also that 
while the sufficient part of our security condition relies 
on the N copies hypothesis, the necessary part does not. 
It simply senses the existence of an attack that can be 
applied to any protocol equivalent to ours. 

Finally, it is interesting to compare our results with 
previous security pro ofs using two-way communication 
for QKD schemes [l8| . When the attack described above 
is applied to the six-state protocol, Eve prepares N in- 
dependent copies of a two-qubit Werner state: 



1 - A 



I ([*-] + [*+] + [*-]). (22) 



PAB = Ai [$ + ] 



Condition JSJ shows that a secure key extraction is not 
possible with our protocol if the error rate is larger than 



QBER = 2 1 o Al = 0.2764. 



(23) 



This is precisely the same value as obtained by Chau in 
(ill . Indeed, his protocol is equivalent to ours. The at- 
tack we have presented proves that, unless another two- 
way reconciliation technique is employed, this critical er- 
ror rate cannot be improved, i.e., is tight. 
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